Test domain 3: Design Secure Applications and Architectures#

This domain makes up 24% of the exam and includes the following three objectives:

  1. Design secure access to AWS resources.
  2. Design secure application tiers.
  3. Select appropriate data security options.

What you need to know#

Here are some things you should know about:
You need to understand how to use native AWS technologies and solution architecture to create secure applications. This includes configuring security controls for authentication, authorization, and access as well as applying encryption to data.
You need to know how to design isolation and separation through AWS service architecture, Amazon EC2 instance deployment options, and Amazon VPC configuration.
It is also recommended to understand the best practices for implementing services in the most secure manner as well as best practices for creating users, groups, and roles using AWS IAM. Knowledge about which services can use Multi-Factor Authentication is also required. In addition, you should have a thorough understanding of available AWS Directory Services and when to use them.
Questions asking you to identify which technologies include DDoS mitigation come up often. These include AWS Auto Scaling, Amazon CloudFront, and Amazon Route 53.
You should also know how to implement monitoring and logging using Amazon CloudWatch and AWS CloudTrail, when and what penetration testing you are allowed to perform within the AWS cloud, and what compliance programs AWS complies with.
Technologies you need to know for domain 3 include Amazon VPC, AWS KMS, AWS CloudHSM, AWS IAM, Amazon Cognito, and AWS Directory Services.

Here are some example questions you can expect from this test domain:

2

You have been asked to come up with a solution for providing single sign-on to existing staff in your company who manage on-premise web applications and now need access to the AWS Management Console to manage resources in the AWS cloud.

Which product combination provides the best solution to achieve this requirement?

Your Answer
A)

Your on-premise LDAP directory with IAM

B)

IAM and MFA

Correct Answer
C)

The AWS Secure Token Service (STS) and SAML

Explanation

Single sign-on using federation allows users to log-in to the AWS console without assigning IAM credentials. The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for IAM users or for users that you authenticate (such as federated users from an on-premise directory). Federation (typically Active Directory) uses SAML 2.0 for authentication and grants temporary access based on the users’ AD credentials. The user does not need to be a user in IAM.

D)

IAM and Amazon Cognito

Question 2 of 22 attempted

Test domain 4: Design Cost-Optimized Architectures#

This domain makes up 18% of the exam and includes the following objectives:

  1. Identify cost-effective storage solutions.
  2. Identify cost-effective compute and database services.
  3. Design cost-optimized network architectures.

What you need to know#

Here are some things you should know about:
This small but important area of the exam requires architects to consider cost-effectiveness when deploying applications on AWS.
You need to understand the various cost models of compute and storage services, what you pay for, and what the best choices would be given a specific scenario.

Here are some example questions you can expect from this test domain:

2

An architect is designing a serverless application that will accept images uploaded by users from around the world. The application will make API calls to backend services and save the user’s session state data to a database.

Which combination of services would provide a solution that is cost effective while delivering the least latency?

Your Answer
A)

Amazon CloudFront, API Gateway, Amazon S3, AWS Lambda, DynamoDB

Explanation

Amazon CloudFront caches content closer to users at Edge locations around the world. This is the lowest latency option for uploading content. API Gateway and AWS Lambda are present in all options. DynamoDB can be used for storing session state data.

B)

API Gateway, Amazon S3, AWS Lambda, DynamoDB

C)

Amazon CloudFront, API Gateway, Amazon S3, AWS Lambda, Amazon RDS

D)

Amazon S3, API Gateway, AWS Lambda, Amazon RDS

Question 2 of 22 attempted

Up next#

Now that you are familiar with the exam structure and test domains, the upcoming lesson will discuss all the services and technologies that the exam will test.

The chapters are broken down based on the technologies that they discuss. Each chapter concludes with a short quiz.

Exam Breakdown - Part 1

Introduction